Bypassing Dangerous PHP Functions
system : immediately shows all output, and is used to show text
passthru: returns output immediately, but is used for binary data and is used for returning binary data instead of ascii.
shell_exec returns the full output of the command, when the command finished running.
exec: only returns the last line of the generated output.
Imagine that you found a file upload or Remote File Inclusion vulnerability where you can upload/request your php-reverse-shell and get a quick shell. However, it may be possible that administrator disabled all of the above php functions so let’s see these 4 dangerous php functions in action first before we jump to the other functions.
System
Shell_exec
Exec
Passthru
Nice! We can run OS commands and get the output of the command. So what happens if we disable all of these 4 functions ? Disable dangerous php functions above from php.ini file under /etc/php/7.2/cli/php.ini and set display_errors to On.
If you are performing this exercise via your apache, you may need to disable them on /etc/php/7.2/apache2/php.ini . Let’s run the same php files again.
Please also note that we are receiving this error due to Display_errors= On feature. You can enable this feature on production environment but you need to disable it on live environment.
PHP-Reverse-Shell Pentestmonkey
We all know famous php-reverse-shell for linux from pentest-monkey. We can try to get a shell with the reverse shell above as it uses proc_open function.
Listening the shell. We got the root shell
Proc_open
Disable proc_open function as well.
Msfvenom PHP Shell
We can’t get a shell now. Let’s create a msfvenom php shell.
So we disabled bunch of dangerous php functions but we can still get a shell. We can go through the php code now:
It looks interesting. We can see shell_exec, passthru, popen, exec, system and proc_open functions in the code from msfvenom. Let’s compare again these functions to our disable_function in php.ini . Popen seems interesting.
Popen
After disabling popen, I would be able to still get a shell and i noticed another line from the shell.php which is below:
Fsockopen and Socket_create
If no exec functions enabled, it uses fsockopen. I disabled fsockopen, socket_create as well as a result, I can’t get a shell now with shell.
Mail() and Putenv()
Here is a neat method which abuses of the mail() and putenv() functionality: https://www.tarlogic.com/en/blog/how-to-bypass-disable_functions-and-open_basedir/
You can download Chankro tool from the github and test it as well. It will work smoothly to bypass the disable_functions. In order to block this method, you also need to disable putenv() function.
Mod_cgi
Another method with mod_cgi: https://web.archive.org/web/20160708143917/https://blog.asdizzle.com/index.php/2016/05/02/getting-shell-access-with-php-system-functions-disabled/
Imap_open()
One of the latest bypassing disable_functions is using imap_open function. It looks really similar to mail() and putenv() bypass . Here you can find great explanation here: https://lab.wallarm.com/rce-in-php-or-how-to-bypass-disable-functions-in-php-installations-6ccdbf4f52bb
In order to prevent imap_open bypass, you need to set imap.enable_insecure_rsh to 0. It is 0 as default but if you are in the test environment and want to play with the vulnerability, you can set it to 1 and see the behavior with strace tool in Linux.
Last updated